W32.SQLExp.Worm

Info from Symantec's website:

W32.SQLExp.Worm
Discovered on: January 24, 2003
Last Updated on: January 25, 2003 04:20:00 AM



W32.SQLExp.Worm is a worm that targets servers running Microsoft SQL. Since this worm exists only in memory, it cannot be detected by traditional antivirus scanners. As a result, Symantec Security Response will not be posting virus definitions for this threat.

The worm sends 376 bytes to 1434/udp - the SQL Server Resolution Service Port. Beginning at 5:31am GMT, we started to see a significant increase in the unique number of source IPs scanning for 1434/udp. Symantec Security Response highly recommends all MS-SQL server system administrators to audit their machines for known security vulnerabilities immediately.

Symantec Security Response also recommends configuring perimeter devices to block 1434/udp traffic from untrusted hosts.

The worm has the unintended payload of performing a Denial of Service due to the large number of packets it sends out.




Type: Worm
Infection Length: 376 bytes
CVE References: CAN-2002-0649

Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Easy
Threat Metrics


Wild:
High
Damage:
Low
Distribution:
Low


Damage

Payload:
Degrades performance: May affect network availability
Distribution

Ports: 1434/udp


When W32.SQLExp.Worm compromises a machine it does the following:


Opens a netbios socket to send the worm packet.

Uses the Windows API Function, GetTickCount, to generate a random IP address to send the viral packet to.

Repeatedly sends itself to all IP addresses generated on UDP port 1434

W32.SQLExp will continuously send packets to different IP addresses, effectively performing a Denial Of Service.

 

See also this thread started by Snowy:

http://www.wilderssecurity.com/showthread.php?t=6651

 

Quote from Sophos:
[hr]
SOPHOS WARNS OF SQLSLAMMER INTERNET WORM


Sophos is advising companies to ensure their systems are up-to-date with
the latest security patches in response to a new internet worm
called W32/SQLSlam-A or SQLSlammer.

The worm relies upon a security vulnerability in some versions of Microsoft
SQL server, and creates traffic on UDP port 1434.

Sophos advises companies to ensure their systems are up-to-date with the
latest security patches, including the patch from Microsoft to protect
against the vulnerability exploited by the worm:
http://www.microsoft.com/technet/security/bulletin/MS02-039.asp

Sophos has posted more information about the worm at
http://www.sophos.com/link/slammer

 

Quoting TrendMicro:
[hr]
WORM_SQLP1434.A attacks targets systems using Microsoft SQL Server 2000, allowing affected SQL Servers to send the malicious packet to other SQL Servers and thereby causing a slowdown, or even failure, in the affected network.

The code that executes the denial-of-service attack resides only in memory of affected Microsoft SQL servers, and there are no file counterparts. Because of this, antivirus scanners that do not support memory scanning will not be able to detect the code.

There is no pattern file required.

Trend Micro strongly advises customers to download the latest fix patch supplied by Microsoft, updated on January 17, 2003. The patch is found on this site, http://www.microsoft.com/sql/downloads/2000/sp3.asp


For more information on WORM_SQLP1434.A please visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SQLP1434.A

 

I wanted to mention that DSLR has extensive discussion on this subject, but I saw FanJ in another post already stated that:

 

So my reply and link somewhere soon after starting the "heads-up" thread was not bad at all. My googling found several recommendations about excluding 1434 and 1433 from the trusted zone for all unknown ip's, and more but i stopped posting as there came no reactions on them .......
Good by now the whole internet knows what's going on and what to do.
Still suppose only those running the SQL server are vulnerable and need the patch or am i behind facts now again?

You might like to look with TDS TCP Port Listen to incoming packets, or the Port Explorer socket spy. We did with TDS with determing the CR attacks, nice to see what's been trying without harming thanks to the blockages.

 

It's quite interesting to see how the worms works, thought.... I haven't exposed my PC to it, but was willing to see how this would go on my test computer so has I decided to see what the worm was all about, just to find out that this little f**k is annoying and very moving

anyhow if I knew more about programing I would make a little fix/clean for this. Darn ( I should of learned programing. )

 

What Microsoft has to say about this worm and the patch

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/slammer.asp


admin note: added url tags to fix link ~unicron

 

Updated: January 26, 2003

How do I tell of I have MSDE or SQL Server 2000 installed on my system?

Go to "Start" then "Search" and search the local system for the file "sqlserver.exe". If this file is present on your system, then you have MSDE or SQL Server installed. Next right click on this file and select "properties" then "product version". If the product version is between 8.00.0194 and 8.00.0533 you are running SQL Server 2000 or MSDE 2000 then you need to install SQL Server SP2 before you install this patch.

Next right click on this file and select "properties" then "product version". If the product version is between 8.00.0194 and 8.00.0533 you are running SQL Server 2000 or MSDE 2000 and need the updates discussed by this bulletin.

What do I need to do to make sure that my MSDE installation is updated?

That depends on what product you are using with MSDE. If you are using MSDE with any of the products listed above except Application Center 2000, you need to ensure you have first installed MSDE 2000 Service Pack 2 since this security patch requires Service Pack 2 to be installed. Once you have installed MSDE 2000 Service Pack 2 you need to install the SQL Server 2000 patch.

If you are running Microsoft Application Center 2000, you need to install a version of MSDE Service Pack 2 which is specifically intended to be used with Application Center. This service pack is available at: http://download.microsoft.com/download/AppCenter2000/MSDESP2/QFE813058.exe. Once you have installed the Application Center version of MSDE Service Pack 2, you should install the SQL Server 2000 security patch. More information on the Application Center specific version on MSDE 2000 Service Pack 2 is available in Microsoft Knowledge Base article Q813115.

Why did you only re-release this patch for SQL Server 2000?

The release of the "Slammer" worm virus made it especially critical for SQL Server 2000 customers to deploy this patch. The patch was repackaged with the new SQL Server installer in order to assist customers in this process.

___________________

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-061.asp

Microsoft Security Bulletin MS02-061


Summary
Who should read this bulletin: System administrators using Microsoft® SQL Server™ 7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000.

Impact of vulnerability: Elevation of privilege

Maximum Severity Rating: Critical

Recommendation: System administrators should apply the patch to affected systems.

Affected Software:

Microsoft SQL Server 7.0
Microsoft Data Engine (MSDE) 1.0
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000 (see the FAQ for a list of products that include MSDE 2000)